Semantical Aspects of an Architecture for Distributed Embedded Systems

Size: px
Start display at page:

Download "Semantical Aspects of an Architecture for Distributed Embedded Systems"

Transcription

1 Semantical Aspects of an Architecture for Distributed Embedded Systems Roel Bloo Eindhoven University of Technology Eindhoven, The Netherlands Jozef Hooman University of Nijmegen Nijmegen, The Netherlands Edwin de Jong Hollandse Signaalapparaten B.V. Hengelo, The Netherlands ABSTRACT We investigate the formulation of a formal semantics for the industrial software architecture Splice. In this paper, we present a set of basic Splice interaction primitives that is both powerful and easy to implement. We define a semantics for this language based on a conceptual global dataspace. It is shown that the semantics is equivalent to an implementation-biased semantics where each process has its own local dataspace and communication is established by means of asynchronous message passing. Hence, our language allows both convenient reasoning using a global dataspace and efficient implementation by means of distributed dataspaces. The equivalence result is checked mechanically by means of the interactive theorem prover PVS. 1. INTRODUCTION This introduction contains an overview of the general context of our research, an informal explanation of the Splice architecture and the aims of the work described here. 1.1 Context of the research Our research concerns the construction of complex distributed software applications that have to satisfy strong requirements concerning functional correctness and reliability. An industrial solution to tackle this complexity is the definition of a suitable underlying architecture which provides high-level communication mechanisms and construction rules for the components. This architecture should be general enough to be suitable for a whole family of products. Our aim is to combine this solution with another technique to increase the quality and reliability of applications, namely the use of formal methods. This means that there are precise mathematical models for specifications and implementations and suitable techniques to relate the two. As a specific case study we consider the software architecture Splice, as devised by the company Hollandse Signaalapparaten. It forms This research is supported by the Technology Foundation STW (grant EIF.3959), applied science division of NWO and the technology programme of the Dutch Ministry of Economic Affairs. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. SAC Como, Italy Copyright 2000 ACM /97/05..$5.00 the core of many of their products, especially in the field of command and control systems. Typically, such systems receive large streams of data from sensors which are used to build a coherent image of the environment and to take appropriate action on the basis of this information. Additionally, the internal representation is visualized for operators which interact with the system. All these tasks are carried out by a large number of parallel processes. Splice can be seen as a coordination language that provides a suitable communication mechanism where processes need not know the producers of the data they need or the consumers of the data they produce. Important is that Splice allows dynamic reconfiguration of the system and, for instance, duplication of processes, thus achieving a high degree of reliability and fault-tolerance. Other work 9; 10] has addressed the formalization of the requirements of such command and control systems. This has resulted in a structured specification in the language of the interactive theorem prover PVS 8]. Our aim is to define a verification method to prove that a Splice program satisfies such a specification. To be able to deal with large programs, we aim at a compositional framework which allows reasoning by means of the interface specifications of components, without knowing their implementation 6]. As a starting point for such a verification method, a formal definition of the Splice interaction primitives is needed. There is already some work on the semantics of Splice, e.g. a comparison of semantic choices using an operational semantics 3; 4] and a process algebra framework 5]. We aim at a denotational semantics, however, since this is the proper starting point for compositional reasoning. Furthermore, we would like to investigate which choice of Splice primitives is most convenient for high-level reasoning and, at the same time, allows efficient implementation. Finally, to achieve convenient tool support for our work and a clear relation with the requirements specification, our semantics will be formulated in the language of PVS. 1.2 The coordination language Splice The basic idea behind Splice 2] is that a process which consumes certain data need not know which process produces it. In fact, there may be several producers. The consumer simply registers its interest by subscribing to a certain data sort. Next it will be able to read produced data items of this sort, where it can use keys and queries to filter the data stream on certain aspects (e.g. in an air traffic management system, on flight number or distance to the airport). Similarly, the producers need not know the consumers of their data. In the rest of this section we consider several examples of simple programs using read and write primitives. The intended meaning of these primitives will vary per example, but the basic intention is that Write(d) writes the value of d to the dataspace(s) and

2 Read(x, q) asks the dataspace a query q and assigns the answer of the dataspace to its variable x. Typical for the applications built with Splice is that it is often not needed to ensure that all data will be consumed or that it will be consumed in the order it is produced, since there is usually a continuous stream of data available from the sensor. Moreover, there are often no strong consistency requirements on processes that consume the same data. Hence, Splice provides a simple but powerful coordination scheme that requires little overhead. Nothing is guaranteed about the speed or order at which data items of producers become available for consumers. For instance, in the program (Write(0) ; Write(1)) Read(x, true) where the read command has a true query to be able to read all data elements, it is possible that the value 1 is already available for the read -command, whereas the value 0 cannot be read yet. But if, for instance, ordered messages are needed, sequence numbers can be included in the data and the reader might read with a query on the next sequence number. It is also possible (and often done in practice) to include a time-stamp in the data sort and to express in the query that the data has a recent time-stamp. Given this basic idea, there are a large number of possible variations, especially concerning the syntax and the semantics of the read operations. We list a number of questions: 1. Which queries can be formulated; a predicate on data items (e.g. a data item with time stamp greater than 10 ) or a predicate on the complete set of available data items (e.g. an available data item with maximal time stamp )? 2. Does the read operation return the set of all available data items that satisfy the query or just one item? 3. Does the read operation block if there is no item satisfying its query or is there an exception/error (or, e.g. the empty set in case a set is returned)? 4. Is the set of available data items the same for all consumers at any moment or can this be different? 1.3 The goal of this work The last question above addresses an important point; conceptually Splice can be seen as a large global dataspace, where producers write data items and subscribers can select items to read, see figure 1. process process process global dataspace Figure 1: Processes communicating via a global dataspace. However, in a distributed implementation each process has a local dataspace with its locally available items, see figure 2. Then, a write action is non-atomically distributed to all local dataspaces process process process local dataspace local dataspace local dataspace Figure 2: Processes communicating via local dataspaces. (as is done in the current distributed implementation of Splice); consequently the order of the updates at local dataspaces might be different. Often there is a large stack of protocols to guarantee consistency of the local dataspaces. A design choice of Splice is to avoid these consistency protocols by carefully designing syntax and semantics such that the conceptual model of a single global dataspace can be implemented by distributed local dataspaces without much overhead. The aim of our work is to formalize these ideas, that is, to define a simple but powerful Splice language with a denotational semantics based on a global dataspace and to prove that this semantics is equivalent to an interpretation with distributed local dataspaces. 1.4 Examples of non-equivalent variations Note that the goal above is not trivial, since there are many variations of Splice-like languages where the meaning differs, depending on the dataspace model. We present a few cases where the equivalence does not hold: Suppose a read statement returns the set of all data items that satisfy the query. Moreover, assume read statements are blocking, so the result of a read is never the empty set. Consider the following program, where X and Y range over sets of data items. Write(0) Read(Y, true) (Read(X, true) ; Write(1)) In this and the following examples in this section, we assume that all programs are closed in the sense that there are no other write actions than the ones shown this is formalized later. In the distributed implementation (where write actions are distributed to the local dataspaces non-atomically), Y might get the value {1}, since it is possible that 0 arrives much later in the local dataspace of the second process. In the conceptual model with a single global dataspace, however, Y never becomes {1} since 0 should be available in the dataspace before 1 can be written, so the second process can read {0} or {0, 1}. Now again assume that a read statement returns the set of all data items that satisfy the query, but suppose read statements are non-blocking (returning the empty set if there are no data items satisfying the query). First observe that the program above yields the same results in both models; X might get the values or {0} (i.e. item 1 is never available for the first read) and Y can read any combination of 0 and 1 (i.e., {0}, {1}, or {0, 1}). However, then the following program shows a difference.

3 Write(0) Read(Y, true) ( Read(X, true) ; if X then Write(1) fi ) In the conceptual model with a global dataspace, value 1 is written when 0 is already available in the dataspace and, as in the previous example, Y cannot get the value {1}. The implementation with local dataspaces allows an execution where Y becomes {1}; then the value 0 becomes available in the dataspace of the third process much earlier than in that of the second process, where it arrives even after the value 1 written by the third process. The problem here is that in this example we have constructs by which we can observe whether a data item is present or not. This can be exploited to observe the difference between the conceptual global dataspace model and the implementation with distributed dataspaces. As another example, suppose read statements are blocking and return a single data item that satisfies the query. If queries are restricted to predicates on state-variables and data, this is the language for which we show equivalence of the two semantics. However, the equivalence does not hold if the queries are predicates on the dataspace. Consider, for instance, the possibility of reading minimal or maximal values (e.g., Read(x, min) yields the minimal value available in the (local) dataspace at the moment), and the following program. (Write(0) ; Write(1)) (Read(x, min) ; Read(y, min)) (Read(u, max) ; Read(v, max)) In the implementation model with local dataspaces, x, y, u, v may get values 1, 0, 0, 1 respectively, since in the dataspace of the second process 1 may arrive before Read(x, min) is executed and 0 may arrive afterwards (but before execution of the statement Read(y, min)), whereas in the dataspace of the third process 0 may arrive before 1 does. This is of course impossible in the conceptual model with one global dataspace. Observe that this example again depends on the possibility of testing for absence of data (if Read(x, min) returns value 1 then the value 0 must be absent in the dataspace). Note that if read statements are non-blocking and return an error value when no data item satisfies the query (and otherwise a single data item satisfying the query), then we can also observe whether a data item is present, even for queries that are restricted to predicates on data only. 1.5 Tool support The verification system PVS 8] 1 has been used to support our research. Two versions of the semantics, one for the conceptual view of a global dataspace and one for the implementation based view of local dataspaces, have been defined in PVS. The specification language of PVS is a classical, typed higher-order logic with a large number of built-in types (e.g. booleans, integers reals) and typeconstructors (as functions, sets, tuples, records), including a powerful mechanism to define abstract datatypes. Specifications can be structured by hierarchies of parameterized theories. The PVS system contains a powerful theorem prover that can be used to construct proofs of theorems interactively. Proofs are recor- 1 PVS is freely available, see the web-site of SRI International ded and can be rerun after changes. All results mentioned in this paper have been checked mechanically by means of PVS Structure of this paper The structure of the paper is as follows. In section 2 we introduce a simple language with Splice interaction primitives. A semantics for this language based on the conceptual model with a single global dataspace is presented in section 3. A semantics based on the implementation model with distributed local dataspaces is defined in section 4. In section 5 we show that these two semantics are equivalent. Section 6 contains a brief discussion of related work and some concluding remarks can be found in section SYNTAX OF A SPLICE-LIKE COORDI- NATION LANGUAGE To high-light the essential ideas, we incorporate the basic Splice interaction primitives in a simple imperative coordination language. With respect to the questions listed in section 1.2 the following choices have been made. Queries are predicates on data items and a state, the read operation returns exactly one data item satisfying the query and blocks if there is none. The question whether the set of available data items is the same for all consumers at any time corresponds to the choice between the global or the local model. We assume a data type Data and a set of variables Vars. Then the state of a program is a function from variables to data, i.e., States = Vars Data, and expressions are functions of type States Data. Now programs in our language are defined as follows: P ::= Skip Write(e) Read(x, q) Some remarks are in order here: P 1 ; P 2 P 1 P 2 Close(P). Skip denotes the empty program. Write(e) writes the data value denoted by expression e to the dataspace. Read(x, q) assigns to the variable x a previously written data element satisfying the query q. It blocks if there is no such element. P 1 ; P 2 denotes sequential composition. P 1 P 2 denotes parallel composition. As a syntactic constraint, we require that the set of variables of the two processes in the parallel composition be disjoint. Close( P) denotes the closure operation. It specifies that all data items that have been read by statements in P also have been produced by preceding writes inside P. There is no hiding of the produced data items, so they might be read by an external reader. In PVS, this language is represented as an abstract datatype, which allows us to use recursive definitions and proofs by induction on the structure of programs. Note that, for simplicity, we do not distinguish between different datasorts. An extension to multiple sorts and adding a sort to the closure operation, is straightforward. Similarly, it is easy to add more programming constructs such as assignment, choice, and while. See, for instance, 7] for the denotational semantics of a real-time imperative programming language in PVS. 2 For a PVS dump file with all theories and proofs, see hooman/splicesem.html

4 3. SEMANTICS FOR THE MODEL WITH A GLOBAL DATASPACE In this section we define the semantics of our coordination language under the assumption that there is a single global dataspace. We refer to it as the global semantics. The values of internal variables of a process are represented by a state, which is a function from variables to Data. Furthermore, let Events be a set of events. The meaning of a program P, given an initial state representing the values of the variables at the start of the program, is a set of semantic primitives. Each semantic primitive corresponds to a terminated execution. For simplicity we do not model blocking or infinite computations. Semantic primitives, denoted sp, are records in PVS with three fields: st: the final state of the program, representing the situation after the execution. evs: a subset of Events containing those events that occur during the execution of P. An event represents the occurrence of an action. Let act be a global function that yields for each event in the set Events the corresponding action. Here we have actions of the form R(d) and W(d) denoting the reading and writing, resp., of data element d. Note that if we replace evs and act by a multiset of actions, then we cannot order events with the same action and hence it is not possible to distinguish them. ord: a strict (irreflexive & transitive) partial order on the set of events (evs). Intuitively, we have ord(e 1, E 2 ) iff E 1 is a read event occurring before E 2 ; if E 2 is a read event then anything available in the dataspace at the moment of execution of E 1 will also be available at the moment of execution of E 2, and if E 2 is a write event then the value written by E 2 can not be available in the dataspace at the moment of execution of E 1 (unless there is another write action writing the same value). Next we present the formal semantics of the language constructs in the setting of the conceptual model with a single global dataspace. This is done by defining a function ]] which maps a program P, given an initial state s, to a set of semantic primitives, denoted P ]](s). Here, a semantic primitive, represented in PVS by a record, is denoted by a triple (s, eset, ), where s is a state, eset a set of events and a strict partial order on eset. The functions st, evs, and ord are used to access the first, second and third field of these triples. Skip ]](s) = {(s,, )} The skip statement performs no visible actions. Hence, the set of events (and its order) are empty, and the final state is equal to the initial state s. Write(e) ]](s) = { (s, {E}, ) E Events act(e) = W(e(s)) } A write statement Write(e) performs a single event E that corresponds to a write action with the value of e evaluated in the state s. The initial state s is unaffected. Read(x, q) ]](s) = { (sx d],{e}, ) E Events d Data q(d, s) act(e) = R(d) } To understand the semantics of statement Read(x, q), it is important to recall that we aim at a denotational, i.e. compositional, framework. This means that the semantics of a read statement should allow the combination with any context, where in principle every possible data item could be written. So we have to take an arbitrary environment into account. This is done by including semantic primitives for all data items d Data that satisfy the query in the initial state (i.e., q(d, s) holds). So the semantics includes all possibilities and only at the point of applying a closure operation we decide about the actual values read. We use sx d] to denote the state that equals s except that the value of x has been replaced by d. P 1 ; P 2 ]](s) = { sp sp 1, sp 2 sp1 P 1 ]](s) sp 2 P 2 ]](st(sp 1 )) st(sp) = st(sp 2 ) evs(sp 1 ) evs(sp 2 ) = evs(sp) = evs(sp 1 ) evs(sp 2 ) E 1, E 2 evs(sp) ord(sp)(e 1, E 2 ) ( ord(sp1 )(E 1, E 2 ) ord(sp 2 )(E 1, E 2 ) R?(E 1 ) )]]} Here R?(E 1 ) is an abbreviation for dact(e 1 ) = R(d)]. The meaning of P 1 ; P 2 expresses that the final state of this construct is produced by P 2, starting in the final state of P 1. The latter executes from the original initial state s. We require that the event sets of the two components be different. This requirement can always be met simply by renaming common events, assuming that there are sufficiently many events to make this possible. The events of P 1 ; P 2 are those performed by P 1 or P 2. The order on the resulting event set respects the orders of P 1 and P 2 ; additionally, the order requires that each read action by P 1 occurs before any event of P 2. P 1 P 2 ]](s) = { sp sp 1, sp 2 sp1 P 1 ]](s) sp 2 P 2 ]](s) xst(sp)(x) = if x vars(p 1 ) then st(sp 1 )(x) else if x vars(p 2 ) then st(sp 2 )(x) else s(x)] evs(sp 1 ) evs(sp 2 ) = evs(sp) = evs(sp 1 ) evs(sp 2 ) ord(sp) = ord(sp 1 ) ord(sp 2 ) ]} In P 1 P 2 both processes start from the initial state s and, since there are no shared variables, the final state of the parallel construct is obtained by simply combining the two final states. Similar to sequential composition, the event sets of P 1 and P 2 are assumed to be disjoint, and the events of P 1 P 2 are those that occur in P 1 or P 2. No additional ordering is imposed by the parallel composition. Close(P) ]](s) = { sp sp 1 sp1 P ]](s) st(sp) = st(sp 1 ) ord(sp) = evs(sp) = {E E evs(sp 1 ) R?(E)} is a strict and total order on evs(sp 1 ) ord(sp 1 ) E evs(sp 1 ), d Dataact(E) = R(d) E 1 evs(sp 1 )E 1 E act(e 1 ) = W(d)]] ]]} The semantics of the Close operation formalizes the relation between read and write actions. Recall that the semantics of a read

5 statement includes all possible data items and only at closure it can be checked which data items are actually available. This is done by imposing a strict total order on the events of P, extending the existing order ord, such that each read action R(d) is preceded by a corresponding write action W(d). Only the semantic primitives from P for which such a total order exists are retained in the semantics of Close(P). Examples We present a few simple examples to illustrate the semantics. In the following program, the variable x might become 0 or 1, which is reflected in its denotational semantics. Close ( (Write(0) ; Write(1)) Read(x, true) ) ]](s) = { sp (st(sp) = sx 0] st(sp) = sx 1]) ord(sp) = E 1, E 2 : Eventsevs(sp) = {E 1, E 2 } act(e 1 ) = W(0) act(e 2 ) = W(1)] } The following example illustrates how read actions are delayed until the requested data item arrives in the shared dataspace. Let P be the program (Write(0) ; Write(1)) (Read(x, x > 0) ; Read(y, y < x)). Then Close(P) ]](s) = { sp (st(sp) = sx 1]y 0] ord(sp) = E 1, E 2 : Eventsevs(sp) = {E 1, E 2 } act(e 1 ) = W(0) act(e 2 ) = W(1)] } 4. SEMANTICS FOR THE MODEL WITH DISTRIBUTED LOCAL DATASPACES Here we present the semantics of an implementation-biased model with distributed local dataspaces, henceforth called the local semantics. To formalize that in this model, read statements of different components might observe the write events in different order, we introduce a set ProcIds of process identifiers and extend the semantic primitives of the previous section. In addition to the three fields st, evs and ord, we add a fourth pid field, which is a function that assigns a process identifier to each event in evs. This leads to so-called local semantic primitives (denoted lsp). For simplicity, we restrict ourselves to so-called non-nested Splice programs, denoted by S, where parallel composition does not occur inside sequential composition. In this way, we avoid a complex definition of assigning pids to processes. Consider, e.g., a program of the form (P 1 P 2 ) ; P 3. Here it is unclear whether the pid of program P 3 should be equal to the pid of P 1, P 2 or none of them. The semantics of a non-nested Splice program S, given an initial state s, to a set of local semantic primitives, denoted SemL(S)(s), is obtained by adapting the semantics of the previous section as follows. The local semantics of the three atomic statements Skip, Write(e) and Read(x, q) is basically equal to the global semantics extended with a pid field. The value of this field is not restricted and may take any possible value, e.g.: SemL(Write(e))(s) = { (s,{e},, p) E Events p : {E} ProcIds act(e) = W(e(s)) }. For sequential composition we require, in addition to the global semantics, that the events of both components be assigned the same pid. The semantics of parallel composition extends the global semantics by requiring that the events of both components are assigned different pids. The new semantics of Close becomes more complex, as explained below. SemL(Close(S))(s) = { lsp lsp 1 lsp1 SemL(P)(s) st(lsp) = st(lsp 1 ) ord(lsp) = evs(lsp) = {E E evs(lsp 1 ) R?(E)} E evs(lsp)pid(lsp)(e) = pid(lsp 1 )(E)] 1 1 is a strict order on evs(lsp 1 ) and 1 is total on {E evs(lsp 1 ) R?(E)} ord(lsp 1 ) 1 E 1, E 2 evs(lsp 1 )E 1 1 E 2 R?(E 1 )] p 2 2 is a strict and total order on evs(lsp 1 ) 1 2 E evs(lsp 1 ), d Dataact(E) = R(d) pid(lsp 1 )(E) = p E 1 evs(lsp 1 )E 1 2 E act(e 1 ) = W(d)]] ]]]} Observe that the events of Close(S) are assigned the same pid as in S (line 5) and that the main difference with the semantics of the previous section concerns the order on the events. The requirement of a single, total order on all events is replaced by two conditions: 1. There should be a global total order 1 on the read events which extends ord but does not order write events before others (lines 6 to 9). 2. For each process identifier p there exists a local total order 2 which extends 1 (lines 10 and 11) and is such that each read event with process identifier p has a preceding (w.r.t. 2 ) write event with the same value (lines 12 to 15). This local order allows write actions to be ordered differently for each process, modelling the non-atomicity of write actions. To understand the reason for the complexity of this definition, it might be instructive to mention that in an early attempt we did not include the first condition and used only the second condition, with 2 extending ord. Then the proof of equivalence in PVS failed and we found that the definition was wrong. Consider, for instance, Close ( (Read(x, x = 0) ; Write(1)) (Read(y, y = 1) ; Write(0)) ). As we have shown in PVS, the global semantics of this program leads to the empty set. This conforms to the intuition that for both processes the read statement blocks, i.e. the complete program leads to deadlock. Our erroneous local semantics however did not yield the empty set because for each process we could order the two read events differently. 5. EQUIVALENCE OF THE TWO MODELS To express the equivalence of the two semantics defined above, we remove the pids from the local semantics. This is done by a function RmPids which removes the pids from the local semantic

6 primitives to obtain the semantic primitives of the global semantics. Then we prove, for a non-nested Splice program S, that S ]] = RmPids(SemL(S)). The main issues in the proof concern: 1. The equivalence for the Close-operator, especially showing that we can construct a global order for the global semantics, given the local orders for the processes in the local semantics. 2. The existence of a pid assignment, satisfying the constraints, for the local semantics, given a semantic primitive in the global semantics of a non-nested Splice program. Since both issues involve quite some technical detail and proof effort, they are separated by introducing an intermediate semantics for non-nested Splice programs S with initial state s, denoted SemG(S)(s), where we have added a pid-field to the global semantics. For SemG(S)(s), the semantics of the Close-operator equals the one for the global semantics plus the constraint on pids of the local semantics. All other statements have the local semantics, which equals the global one plus constraints on pids. Then the proof is split into the following two lemmas, corresponding to the two issues above: 1. SemL = SemG. An outline of the proof can be found in section S ]] = RmPids(SemG(S)). The proof of this property is sketched in section 5.2. For more details we refer to the technical report 1]. 5.1 Equivalence of the two semantics of the Close-operator To prove SemL(S) = SemG(S), for any non-nested Splice program S, first observe that it is rather straightforward to prove that if lsp SemG(S)(s) then lsp SemL(S)(s). The proof proceeds by induction on the structure of S, which is possible in PVS because we have defined programs as an abstract data type. Most cases are trivial, only for the Close statement one has to observe that given a strict total order on the events, this order can be used as the required order on the read events and also as the local order for each process identity. The proof that lsp SemL(S)(s) implies lsp SemG(S)(s) also proceeds by induction on S. The main issue here is again the proof for the Close statement; given a strict total order on all read events ( 1 ) and for each process identifier a total order on all events ( 2 see the definition of SemL(Close(S))(s)), we have to construct a global strict total order on all events. To do this, we introduced in PVS an axiom stating that there exists some total order events on the set of all events Events. This order is used to construct a so-called minimal extension me of the order 1 on the read events: E 1 me E 2 ( ) R?(E1 ) E 1 1 E 2 ( R?(E 1 ) R?(E 2 ) E 2 1 E 1 ) E 3 (R?(E3 ) E 3 1 E 2 E 3 1 E 1 ] ( E 1 events E 2 E 3 E3 1 E 1 E 3 1 E 2 ]). The idea is that write events are ordered as early as possible in the sense that any read event that does not preceed a write event E in ord is ordered after E by me. Hence this minimal extension orders all write events not later than any of the local orders. We have proved that this minimal extension satisfies the condition on the read events in the definition of the global semantics SemG(Close(S))(s) (which is equal to the one in the definition of Close(S) ]](s)), because this condition is invariant under the operation of ordering write events earlier. 5.2 Existence of pids To prove S ]] = RmPids(SemG(S)), first observe that one direction is quite obvious. Recall that RmPids removes the pid field of a local semantic primitive lsp. Hence, lsp SemG(S)(s) implies RmPids(lsp) S ]](s). This has been proved in PVS by induction on S; all cases for the language constructs could be proved automatically. Next consider the other direction, i.e., sp S ]](s) implies that there exists a local semantic primitive lsp such that RmPids(lsp) = sp and lsp SemG(S)(s). The problem here is to construct a pidfield that can be added to sp, i.e., a function from the events to process identifiers, which satisfies the constraints of the semantics. Recall that for sequential composition, the pids of events of the components should be equal, whereas for parallel composition they have to be different. Hence, as long as S does not contain any parallel composition, all events should have the same pid. Otherwise, since S is non-nested, we only have to deal with parallel composition and closure operations and then it is important to be able to choose different pids. To formalize this, we have proved a stronger lemma expressing that if sp S ]](s) then a) if S does not contain parallel composition then for each pid p there exists an lsp such that RmPids(lsp) = sp, lsp SemG(S)(s) and E evs(lsp)pid(lsp)(e) = p]; b) otherwise, for each set of pids pset there exists a local semantic primitive lsp such that RmPids(lsp) = sp, lsp SemG(S)(s) and E evs(lsp)pid(lsp)(e) / pset]. Additionally, we have to assume that there are sufficiently many process identifiers. Then the lemma is strong enough to be proved by induction on the structure of program S. 6. RELATED WORK Since our aim is to develop a compositional proof system for proving properties about Splice programs, we defined a denotational semantics for the Splice interaction primitives. There are already a few other semantic models for closely related languages. We discuss the operational semantics of 3; 4] and an algebraic framework 5]. In 3] a transition system semantics for a subset of Splice interaction primitives is presented. The resulting semantics is similar to our implementation model semantics. Differences are the use of a new operation to fork processes instead of parallel composition, a get operation and the absence of a state so that write operations can only write values. The queries are predicates on data only. In 4], Bonsangue et al. study the relationship between several different models for a data-oriented coordination language. Although we do not have an explicit database in the semantics, it is possible to construct one corresponding to each semantic primitive. Then our conceptual model corresponds to the unordered centralized system with a set dataspace in 4], and our implementation model is related to their distributed system with a set dataspace. Bonsangue et al. show that these two systems are equivalent for programs using read, write and test-for-absence operators 3. Apart from the fact 3 The test-for-absence operator blocks if the specified value is available in the dataspace.

7 that we give a denotational semantics where Bonsangue et al. give an operational semantics and that our semantics and proofs have been formalized in PVS, a difference between their work and ours is that read operations do not have queries in 4]. Simple queries on the requested data item only can be simulated in the system of Bonsangue by using a (possibly infinite) choice, but we allow stronger queries, namely on the current state as well as the data value. These queries can not be simulated in the system of Bonsangue et al. This explains why in 4] the systems are equivalent even in the presence of a test-for-absence. Another approach for giving a semantics to part of the Splice language has been taken in 5], where Splice is described in terms of process algebraic laws. The approach is inspired by a process algebra for describing delay-insensitive communications. Whereas the aim of 5] is to be able to reason and compute algebraically with programs, we aim at compositional assertional verification of programs. Indeed we can prove properties formally that have are axiomatized as laws in the Splice Process Algebra of 5]. A few examples of general process algebraic laws that have been proven to hold in our semantics: Symmetry of, i.e., P 1 P 2 ]] = P 2 P 1 ]] for all programs P 1, P 2. Associativity of and ;, that is, for all programs P 1, P 2, P 3, P 1 (P 2 P 3 ) ]] = (P 1 P 2 ) P 3 ]] and P 1 ; (P 2 ; P 3 ) ]] = (P 1 ; P 2 ) ; P 3 ]]. The following general law has also been proven. Sequential composition of write statements is equivalent to their parallel composition: Write(e 1 ) ; Write(e 2 ) ]] = Write(e 1 ) Write(e 2 ) ]], for all expressions e 1, e 2. Now we have, as a consequence of the first and third law above, law 10 from 5] (we translate the action-prefix of the Splice process algebra to sequential composition): Symmetry of sequential writes: Write(e 1 ) ; Write(e 2 ) ]] = Write(e 2 ) ; Write(e 1 ) ]], again for all expressions e 1, e 2, 7. CONCLUDING REMARKS We have proven that for the coordination language introduced in section 2, the semantics according to the conceptual model of a single global dataspace (presented in section 3) is equivalent to the semantics corresponding to the distributed implementation model with a local dataspace for each process (presented in section 4). This proof has been completely formalized and checked mechanically by means of the interactive theorem prover of PVS. We found this kind of tool support very useful for checking the correctness of the semantics definition as well as the proof itself. Without mechanized support, the error in the definition of the semantics of the Close-operator as explained in section 4 might not have been found. Due to the equivalence it is now possible to use the global dataspace semantics for formally verifying properties of a system implemented on an architecture with local dataspaces. Interesting subjects for further research are a formal equivalence proof of our semantics and a more operational transition system semantics in the style of 3]. We expect that it is rather straightforward to extend the language with loops and non-blocking read operations. Furthermore, one of our goals is to study the use of formal methods and techniques in the design process leading from the formal requirements specification of a system towards its correct implementation. In other work (cf. 9; 10]), a method for writing formal requirements specifications in PVS has been developed. It is our goal to give a similar semantics as the one presented in this paper to these requirements specifications, and next devise a method to formally verify properties of an implementation of such a specification. 8. ACKNOWLEDGEMENTS We would like to thank Marcello Bonsangue, Paul Dechering, Rix Groenboom and the anonymous referees for their useful comments on a draft of this paper. 9. REFERENCES 1] R. Bloo, J. Hooman, and E. de Jong. Semantical aspects of an architecture for distributed embedded systems. Technical report, Eindhoven University of Technology, ] M. Boasson. Control systems software. IEEE Transactions on Automatic Control, 38(7): , ] M. M. Bonsangue, J. Kok, M. Boasson, and E. de Jong. A software architecture for distributed control systems and its transition system semantics. In Proceedings of the 1998 ACM Symposium on Applied Computing (SAC 98), pages ACM Press, ] M. M. Bonsangue, J. Kok, and G. Zavattaro. Comparing coordination models based on shared distributed replicated data. In Proceedings of the 1999 ACM Symposium on Applied Computing (SAC 99). ACM Press, ] P. Dechering, R. Groenboom, E. de Jong, and J. Udding. Formalization of a Software Architecture for Embedded Systems: a Process Algebra for Splice. In Proceedings of the Hawaiian International Conference on System Sciences (HICSS-32), Maui, Hawaii, January IEEE Computer Society. 6] J. Hooman. Specification and Compositional Verification of Real-Time Systems. LNCS 558, Springer-Verlag, ] J. Hooman. Correctness of real time systems by construction. In Formal Techniques in Real-Time and Fault-Tolerant Systems, pages LNCS 863, Springer-Verlag, ] S. Owre, J. Rushby, N. Shankar, and F. von Henke. Formal verification for fault-tolerant architectures: Prolegomena to the design of PVS. IEEE Trans. Softw. Eng., 21(2): , ] J. van de Pol, J. Hooman, and E. de Jong. Formal requirements specification for command and control systems. In Proceedings of the Conference on Engineering of Computer- Based Systems, pages IEEE, ] J. van de Pol, J. Hooman, and E. de Jong. Modular formal specification of data and behaviour. In K. T. K. Araki, A. Galloway, editor, Proceedings 1st Conference on Integrated Formal Methods (IFM 99), pages Springer- Verlag, 1999.

On the Verification of Coordination

On the Verification of Coordination On the Verification of Coordination Paul Dechering 1 and Izak van Langevelde 2 1 Hollandse Signaalapparaten B.V. P.O. Box 42, 7550 GD Hengelo, The Netherlands paul@dechering.net 2 Centrum voor Wiskunde

More information

Handout 9: Imperative Programs and State

Handout 9: Imperative Programs and State 06-02552 Princ. of Progr. Languages (and Extended ) The University of Birmingham Spring Semester 2016-17 School of Computer Science c Uday Reddy2016-17 Handout 9: Imperative Programs and State Imperative

More information

Program Design in PVS. Eindhoven University of Technology. Abstract. Hoare triples (precondition, program, postcondition) have

Program Design in PVS. Eindhoven University of Technology. Abstract. Hoare triples (precondition, program, postcondition) have Program Design in PVS Jozef Hooman Dept. of Computing Science Eindhoven University of Technology P.O. Box 513, 5600 MB Eindhoven, The Netherlands e-mail: wsinjh@win.tue.nl Abstract. Hoare triples (precondition,

More information

Formalization of a Software Architecture for Embedded Systems: a Process Algebra for SPLICE

Formalization of a Software Architecture for Embedded Systems: a Process Algebra for SPLICE Formalization of a Software Architecture for Embedded Systems: a Process Algebra for SPLICE Paul Dechering Rix Groenboom Edwin de Jong Jan Tijmen Udding Applied Systems Research Hollandse Signaalapparaten

More information

Designing Views to Answer Queries under Set, Bag,and BagSet Semantics

Designing Views to Answer Queries under Set, Bag,and BagSet Semantics Designing Views to Answer Queries under Set, Bag,and BagSet Semantics Rada Chirkova Department of Computer Science, North Carolina State University Raleigh, NC 27695-7535 chirkova@csc.ncsu.edu Foto Afrati

More information

3.7 Denotational Semantics

3.7 Denotational Semantics 3.7 Denotational Semantics Denotational semantics, also known as fixed-point semantics, associates to each programming language construct a well-defined and rigorously understood mathematical object. These

More information

3.4 Deduction and Evaluation: Tools Conditional-Equational Logic

3.4 Deduction and Evaluation: Tools Conditional-Equational Logic 3.4 Deduction and Evaluation: Tools 3.4.1 Conditional-Equational Logic The general definition of a formal specification from above was based on the existence of a precisely defined semantics for the syntax

More information

The Encoding Complexity of Network Coding

The Encoding Complexity of Network Coding The Encoding Complexity of Network Coding Michael Langberg Alexander Sprintson Jehoshua Bruck California Institute of Technology Email: mikel,spalex,bruck @caltech.edu Abstract In the multicast network

More information

time using O( n log n ) processors on the EREW PRAM. Thus, our algorithm improves on the previous results, either in time complexity or in the model o

time using O( n log n ) processors on the EREW PRAM. Thus, our algorithm improves on the previous results, either in time complexity or in the model o Reconstructing a Binary Tree from its Traversals in Doubly-Logarithmic CREW Time Stephan Olariu Michael Overstreet Department of Computer Science, Old Dominion University, Norfolk, VA 23529 Zhaofang Wen

More information

Distributed Systems Programming (F21DS1) Formal Verification

Distributed Systems Programming (F21DS1) Formal Verification Distributed Systems Programming (F21DS1) Formal Verification Andrew Ireland Department of Computer Science School of Mathematical and Computer Sciences Heriot-Watt University Edinburgh Overview Focus on

More information

An Annotated Language

An Annotated Language Hoare Logic An Annotated Language State and Semantics Expressions are interpreted as functions from states to the corresponding domain of interpretation Operators have the obvious interpretation Free of

More information

CS4215 Programming Language Implementation. Martin Henz

CS4215 Programming Language Implementation. Martin Henz CS4215 Programming Language Implementation Martin Henz Thursday 26 January, 2012 2 Chapter 4 The Language simpl In this chapter, we are exting the language epl in order to provide a more powerful programming

More information

AXIOMS FOR THE INTEGERS

AXIOMS FOR THE INTEGERS AXIOMS FOR THE INTEGERS BRIAN OSSERMAN We describe the set of axioms for the integers which we will use in the class. The axioms are almost the same as what is presented in Appendix A of the textbook,

More information

Programming Languages Third Edition

Programming Languages Third Edition Programming Languages Third Edition Chapter 12 Formal Semantics Objectives Become familiar with a sample small language for the purpose of semantic specification Understand operational semantics Understand

More information

A Mechanism for Sequential Consistency in a Distributed Objects System

A Mechanism for Sequential Consistency in a Distributed Objects System A Mechanism for Sequential Consistency in a Distributed Objects System Cristian Ţăpuş, Aleksey Nogin, Jason Hickey, and Jerome White California Institute of Technology Computer Science Department MC 256-80,

More information

Automata Theory for Reasoning about Actions

Automata Theory for Reasoning about Actions Automata Theory for Reasoning about Actions Eugenia Ternovskaia Department of Computer Science, University of Toronto Toronto, ON, Canada, M5S 3G4 eugenia@cs.toronto.edu Abstract In this paper, we show

More information

3 No-Wait Job Shops with Variable Processing Times

3 No-Wait Job Shops with Variable Processing Times 3 No-Wait Job Shops with Variable Processing Times In this chapter we assume that, on top of the classical no-wait job shop setting, we are given a set of processing times for each operation. We may select

More information

ACONCURRENT system may be viewed as a collection of

ACONCURRENT system may be viewed as a collection of 252 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 10, NO. 3, MARCH 1999 Constructing a Reliable Test&Set Bit Frank Stomp and Gadi Taubenfeld AbstractÐThe problem of computing with faulty

More information

A Correctness Proof for a Practical Byzantine-Fault-Tolerant Replication Algorithm

A Correctness Proof for a Practical Byzantine-Fault-Tolerant Replication Algorithm Appears as Technical Memo MIT/LCS/TM-590, MIT Laboratory for Computer Science, June 1999 A Correctness Proof for a Practical Byzantine-Fault-Tolerant Replication Algorithm Miguel Castro and Barbara Liskov

More information

Constrained Types and their Expressiveness

Constrained Types and their Expressiveness Constrained Types and their Expressiveness JENS PALSBERG Massachusetts Institute of Technology and SCOTT SMITH Johns Hopkins University A constrained type consists of both a standard type and a constraint

More information

Specifying and Proving Broadcast Properties with TLA

Specifying and Proving Broadcast Properties with TLA Specifying and Proving Broadcast Properties with TLA William Hipschman Department of Computer Science The University of North Carolina at Chapel Hill Abstract Although group communication is vitally important

More information

Induction and Semantics in Dafny

Induction and Semantics in Dafny 15-414 Lecture 11 1 Instructor: Matt Fredrikson Induction and Semantics in Dafny TA: Ryan Wagner Encoding the syntax of Imp Recall the abstract syntax of Imp: a AExp ::= n Z x Var a 1 + a 2 b BExp ::=

More information

1.3. Conditional expressions To express case distinctions like

1.3. Conditional expressions To express case distinctions like Introduction Much of the theory developed in the underlying course Logic II can be implemented in a proof assistant. In the present setting this is interesting, since we can then machine extract from a

More information

15 212: Principles of Programming. Some Notes on Induction

15 212: Principles of Programming. Some Notes on Induction 5 22: Principles of Programming Some Notes on Induction Michael Erdmann Spring 20 These notes provide a brief introduction to induction for proving properties of ML programs. We assume that the reader

More information

Monotone Paths in Geometric Triangulations

Monotone Paths in Geometric Triangulations Monotone Paths in Geometric Triangulations Adrian Dumitrescu Ritankar Mandal Csaba D. Tóth November 19, 2017 Abstract (I) We prove that the (maximum) number of monotone paths in a geometric triangulation

More information

This is already grossly inconvenient in present formalisms. Why do we want to make this convenient? GENERAL GOALS

This is already grossly inconvenient in present formalisms. Why do we want to make this convenient? GENERAL GOALS 1 THE FORMALIZATION OF MATHEMATICS by Harvey M. Friedman Ohio State University Department of Mathematics friedman@math.ohio-state.edu www.math.ohio-state.edu/~friedman/ May 21, 1997 Can mathematics be

More information

CS422 - Programming Language Design

CS422 - Programming Language Design 1 CS422 - Programming Language Design Denotational Semantics Grigore Roşu Department of Computer Science University of Illinois at Urbana-Champaign 2 Denotational semantics, alsoknownasfix-point semantics,

More information

The Rule of Constancy(Derived Frame Rule)

The Rule of Constancy(Derived Frame Rule) The Rule of Constancy(Derived Frame Rule) The following derived rule is used on the next slide The rule of constancy {P } C {Q} {P R} C {Q R} where no variable assigned to in C occurs in R Outline of derivation

More information

Petri-net-based Workflow Management Software

Petri-net-based Workflow Management Software Petri-net-based Workflow Management Software W.M.P. van der Aalst Department of Mathematics and Computing Science, Eindhoven University of Technology, P.O. Box 513, NL-5600 MB, Eindhoven, The Netherlands,

More information

Lectures 20, 21: Axiomatic Semantics

Lectures 20, 21: Axiomatic Semantics Lectures 20, 21: Axiomatic Semantics Polyvios Pratikakis Computer Science Department, University of Crete Type Systems and Static Analysis Based on slides by George Necula Pratikakis (CSD) Axiomatic Semantics

More information

Abstract Interpretation

Abstract Interpretation Abstract Interpretation Ranjit Jhala, UC San Diego April 22, 2013 Fundamental Challenge of Program Analysis How to infer (loop) invariants? Fundamental Challenge of Program Analysis Key issue for any analysis

More information

On Meaning Preservation of a Calculus of Records

On Meaning Preservation of a Calculus of Records On Meaning Preservation of a Calculus of Records Emily Christiansen and Elena Machkasova Computer Science Discipline University of Minnesota, Morris Morris, MN 56267 chri1101, elenam@morris.umn.edu Abstract

More information

Proof Pearl: The Termination Analysis of Terminator

Proof Pearl: The Termination Analysis of Terminator Proof Pearl: The Termination Analysis of Terminator Joe Hurd Computing Laboratory Oxford University joe.hurd@comlab.ox.ac.uk Abstract. Terminator is a static analysis tool developed by Microsoft Research

More information

Analyzing Snapshot Isolation

Analyzing Snapshot Isolation Analyzing Snapshot Isolation Andrea Cerone Alexey Gotsman IMDEA Software Institute PODC 2016 presented by Dima Kuznetsov Andrea Cerone, Alexey Gotsman (IMDEA) Analyzing Snapshot Isolation PODC 2016 1 /

More information

! Use of formal notations. ! in software system descriptions. ! for a broad range of effects. ! and varying levels of use. !

! Use of formal notations. ! in software system descriptions. ! for a broad range of effects. ! and varying levels of use. ! What Are Formal Methods? David S. Rosenblum ICS 221 Winter 2001! Use of formal notations! first-order logic, state machines, etc.! in software system descriptions! system models, constraints, specifications,

More information

A GRAPH FROM THE VIEWPOINT OF ALGEBRAIC TOPOLOGY

A GRAPH FROM THE VIEWPOINT OF ALGEBRAIC TOPOLOGY A GRAPH FROM THE VIEWPOINT OF ALGEBRAIC TOPOLOGY KARL L. STRATOS Abstract. The conventional method of describing a graph as a pair (V, E), where V and E repectively denote the sets of vertices and edges,

More information

Note that in this definition, n + m denotes the syntactic expression with three symbols n, +, and m, not to the number that is the sum of n and m.

Note that in this definition, n + m denotes the syntactic expression with three symbols n, +, and m, not to the number that is the sum of n and m. CS 6110 S18 Lecture 8 Structural Operational Semantics and IMP Today we introduce a very simple imperative language, IMP, along with two systems of rules for evaluation called small-step and big-step semantics.

More information

Characterization of Boolean Topological Logics

Characterization of Boolean Topological Logics Characterization of Boolean Topological Logics Short Form: Boolean Topological Logics Anthony R. Fressola Denison University Granville, OH 43023 University of Illinois Urbana-Champaign, IL USA 61801-61802

More information

CSCI.6962/4962 Software Verification Fundamental Proof Methods in Computer Science (Arkoudas and Musser) Sections p.

CSCI.6962/4962 Software Verification Fundamental Proof Methods in Computer Science (Arkoudas and Musser) Sections p. CSCI.6962/4962 Software Verification Fundamental Proof Methods in Computer Science (Arkoudas and Musser) Sections 10.1-10.3 p. 1/106 CSCI.6962/4962 Software Verification Fundamental Proof Methods in Computer

More information

Joint Entity Resolution

Joint Entity Resolution Joint Entity Resolution Steven Euijong Whang, Hector Garcia-Molina Computer Science Department, Stanford University 353 Serra Mall, Stanford, CA 94305, USA {swhang, hector}@cs.stanford.edu No Institute

More information

Appendix 1. Description Logic Terminology

Appendix 1. Description Logic Terminology Appendix 1 Description Logic Terminology Franz Baader Abstract The purpose of this appendix is to introduce (in a compact manner) the syntax and semantics of the most prominent DLs occurring in this handbook.

More information

2.1 Architectural Support for Integration in Distributed Reactive Systems

2.1 Architectural Support for Integration in Distributed Reactive Systems Integration in Distributed Reactive Systems Maarten Boasson Quaerendo Invenietis bv Universiteit van Amsterdam The Netherlands maarten@quaerendo.com Abstract Due to the many possible interactions with

More information

Appendix 1. Description Logic Terminology

Appendix 1. Description Logic Terminology Appendix 1 Description Logic Terminology Franz Baader Abstract The purpose of this appendix is to introduce (in a compact manner) the syntax and semantics of the most prominent DLs occurring in this handbook.

More information

2386 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 52, NO. 6, JUNE 2006

2386 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 52, NO. 6, JUNE 2006 2386 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 52, NO. 6, JUNE 2006 The Encoding Complexity of Network Coding Michael Langberg, Member, IEEE, Alexander Sprintson, Member, IEEE, and Jehoshua Bruck,

More information

Chapter 1. Introduction

Chapter 1. Introduction 1 Chapter 1 Introduction An exciting development of the 21st century is that the 20th-century vision of mechanized program verification is finally becoming practical, thanks to 30 years of advances in

More information

On Resolution Proofs for Combinational Equivalence Checking

On Resolution Proofs for Combinational Equivalence Checking On Resolution Proofs for Combinational Equivalence Checking Satrajit Chatterjee Alan Mishchenko Robert Brayton Department of EECS U. C. Berkeley {satrajit, alanmi, brayton}@eecs.berkeley.edu Andreas Kuehlmann

More information

SEQUENCES, MATHEMATICAL INDUCTION, AND RECURSION

SEQUENCES, MATHEMATICAL INDUCTION, AND RECURSION CHAPTER 5 SEQUENCES, MATHEMATICAL INDUCTION, AND RECURSION Alessandro Artale UniBZ - http://www.inf.unibz.it/ artale/ SECTION 5.5 Application: Correctness of Algorithms Copyright Cengage Learning. All

More information

CSC 501 Semantics of Programming Languages

CSC 501 Semantics of Programming Languages CSC 501 Semantics of Programming Languages Subtitle: An Introduction to Formal Methods. Instructor: Dr. Lutz Hamel Email: hamel@cs.uri.edu Office: Tyler, Rm 251 Books There are no required books in this

More information

Extracting the Range of cps from Affine Typing

Extracting the Range of cps from Affine Typing Extracting the Range of cps from Affine Typing Extended Abstract Josh Berdine, Peter W. O Hearn Queen Mary, University of London {berdine, ohearn}@dcs.qmul.ac.uk Hayo Thielecke The University of Birmingham

More information

Formal semantics of loosely typed languages. Joep Verkoelen Vincent Driessen

Formal semantics of loosely typed languages. Joep Verkoelen Vincent Driessen Formal semantics of loosely typed languages Joep Verkoelen Vincent Driessen June, 2004 ii Contents 1 Introduction 3 2 Syntax 5 2.1 Formalities.............................. 5 2.2 Example language LooselyWhile.................

More information

Program Analysis: Lecture 02 Page 1 of 32

Program Analysis: Lecture 02 Page 1 of 32 Program Analysis: Lecture 02 Page 1 of 32 Program Analysis/ Mooly Sagiv Lecture 1, 31/10/2012 Operational Semantics Notes by: Kalev Alpernas As background to the subject of Program Analysis, we will first

More information

STABILITY AND PARADOX IN ALGORITHMIC LOGIC

STABILITY AND PARADOX IN ALGORITHMIC LOGIC STABILITY AND PARADOX IN ALGORITHMIC LOGIC WAYNE AITKEN, JEFFREY A. BARRETT Abstract. Algorithmic logic is the logic of basic statements concerning algorithms and the algorithmic rules of deduction between

More information

Automatic Generation of Graph Models for Model Checking

Automatic Generation of Graph Models for Model Checking Automatic Generation of Graph Models for Model Checking E.J. Smulders University of Twente edwin.smulders@gmail.com ABSTRACT There exist many methods to prove the correctness of applications and verify

More information

Semantics via Syntax. f (4) = if define f (x) =2 x + 55.

Semantics via Syntax. f (4) = if define f (x) =2 x + 55. 1 Semantics via Syntax The specification of a programming language starts with its syntax. As every programmer knows, the syntax of a language comes in the shape of a variant of a BNF (Backus-Naur Form)

More information

ARELAY network consists of a pair of source and destination

ARELAY network consists of a pair of source and destination 158 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL 55, NO 1, JANUARY 2009 Parity Forwarding for Multiple-Relay Networks Peyman Razaghi, Student Member, IEEE, Wei Yu, Senior Member, IEEE Abstract This paper

More information

2 Introduction to operational semantics

2 Introduction to operational semantics 2 Introduction to operational semantics This chapter presents the syntax of a programming language, IMP, a small language of while programs. IMP is called an "imperative" language because program execution

More information

1 Variations of the Traveling Salesman Problem

1 Variations of the Traveling Salesman Problem Stanford University CS26: Optimization Handout 3 Luca Trevisan January, 20 Lecture 3 In which we prove the equivalence of three versions of the Traveling Salesman Problem, we provide a 2-approximate algorithm,

More information

Modal Logic: Implications for Design of a Language for Distributed Computation p.1/53

Modal Logic: Implications for Design of a Language for Distributed Computation p.1/53 Modal Logic: Implications for Design of a Language for Distributed Computation Jonathan Moody (with Frank Pfenning) Department of Computer Science Carnegie Mellon University Modal Logic: Implications for

More information

On the Definition of Sequential Consistency

On the Definition of Sequential Consistency On the Definition of Sequential Consistency Ali Sezgin Ganesh Gopalakrishnan Abstract The definition of sequential consistency is compared with an intuitive notion of correctness. A relation between what

More information

On the Relationships between Zero Forcing Numbers and Certain Graph Coverings

On the Relationships between Zero Forcing Numbers and Certain Graph Coverings On the Relationships between Zero Forcing Numbers and Certain Graph Coverings Fatemeh Alinaghipour Taklimi, Shaun Fallat 1,, Karen Meagher 2 Department of Mathematics and Statistics, University of Regina,

More information

COMPUTABILITY THEORY AND RECURSIVELY ENUMERABLE SETS

COMPUTABILITY THEORY AND RECURSIVELY ENUMERABLE SETS COMPUTABILITY THEORY AND RECURSIVELY ENUMERABLE SETS JOSHUA LENERS Abstract. An algorithm is function from ω to ω defined by a finite set of instructions to transform a given input x to the desired output

More information

Data Analytics and Boolean Algebras

Data Analytics and Boolean Algebras Data Analytics and Boolean Algebras Hans van Thiel November 28, 2012 c Muitovar 2012 KvK Amsterdam 34350608 Passeerdersstraat 76 1016 XZ Amsterdam The Netherlands T: + 31 20 6247137 E: hthiel@muitovar.com

More information

Discrete Mathematics Lecture 4. Harper Langston New York University

Discrete Mathematics Lecture 4. Harper Langston New York University Discrete Mathematics Lecture 4 Harper Langston New York University Sequences Sequence is a set of (usually infinite number of) ordered elements: a 1, a 2,, a n, Each individual element a k is called a

More information

Module 11. Directed Graphs. Contents

Module 11. Directed Graphs. Contents Module 11 Directed Graphs Contents 11.1 Basic concepts......................... 256 Underlying graph of a digraph................ 257 Out-degrees and in-degrees.................. 258 Isomorphism..........................

More information

Byzantine Consensus in Directed Graphs

Byzantine Consensus in Directed Graphs Byzantine Consensus in Directed Graphs Lewis Tseng 1,3, and Nitin Vaidya 2,3 1 Department of Computer Science, 2 Department of Electrical and Computer Engineering, and 3 Coordinated Science Laboratory

More information

1 Introduction. 3 Syntax

1 Introduction. 3 Syntax CS 6110 S18 Lecture 19 Typed λ-calculus 1 Introduction Type checking is a lightweight technique for proving simple properties of programs. Unlike theorem-proving techniques based on axiomatic semantics,

More information

Introduction to Formal Methods

Introduction to Formal Methods 2008 Spring Software Special Development 1 Introduction to Formal Methods Part I : Formal Specification i JUNBEOM YOO jbyoo@knokuk.ac.kr Reference AS Specifier s Introduction to Formal lmethods Jeannette

More information

Chapter 3. The While programming language

Chapter 3. The While programming language Chapter 3 The While programming language 1 Contents 3 The While programming language 1 3.1 Big-step semantics........................... 2 3.2 Small-step semantics.......................... 9 3.3 Properties................................

More information

Reflection in the Chomsky Hierarchy

Reflection in the Chomsky Hierarchy Reflection in the Chomsky Hierarchy Henk Barendregt Venanzio Capretta Dexter Kozen 1 Introduction We investigate which classes of formal languages in the Chomsky hierarchy are reflexive, that is, contain

More information

CONVENTIONAL EXECUTABLE SEMANTICS. Grigore Rosu CS522 Programming Language Semantics

CONVENTIONAL EXECUTABLE SEMANTICS. Grigore Rosu CS522 Programming Language Semantics CONVENTIONAL EXECUTABLE SEMANTICS Grigore Rosu CS522 Programming Language Semantics Conventional Semantic Approaches A language designer should understand the existing design approaches, techniques and

More information

Introduction to Sets and Logic (MATH 1190)

Introduction to Sets and Logic (MATH 1190) Introduction to Sets and Logic () Instructor: Email: shenlili@yorku.ca Department of Mathematics and Statistics York University Dec 4, 2014 Outline 1 2 3 4 Definition A relation R from a set A to a set

More information

CHAPTER 8. Copyright Cengage Learning. All rights reserved.

CHAPTER 8. Copyright Cengage Learning. All rights reserved. CHAPTER 8 RELATIONS Copyright Cengage Learning. All rights reserved. SECTION 8.3 Equivalence Relations Copyright Cengage Learning. All rights reserved. The Relation Induced by a Partition 3 The Relation

More information

Enhancing The Fault-Tolerance of Nonmasking Programs

Enhancing The Fault-Tolerance of Nonmasking Programs Enhancing The Fault-Tolerance of Nonmasking Programs Sandeep S Kulkarni Ali Ebnenasir Department of Computer Science and Engineering Michigan State University East Lansing MI 48824 USA Abstract In this

More information

CMSC 330: Organization of Programming Languages. Formal Semantics of a Prog. Lang. Specifying Syntax, Semantics

CMSC 330: Organization of Programming Languages. Formal Semantics of a Prog. Lang. Specifying Syntax, Semantics Recall Architecture of Compilers, Interpreters CMSC 330: Organization of Programming Languages Source Scanner Parser Static Analyzer Operational Semantics Intermediate Representation Front End Back End

More information

A SIMPLE APPROXIMATION ALGORITHM FOR NONOVERLAPPING LOCAL ALIGNMENTS (WEIGHTED INDEPENDENT SETS OF AXIS PARALLEL RECTANGLES)

A SIMPLE APPROXIMATION ALGORITHM FOR NONOVERLAPPING LOCAL ALIGNMENTS (WEIGHTED INDEPENDENT SETS OF AXIS PARALLEL RECTANGLES) Chapter 1 A SIMPLE APPROXIMATION ALGORITHM FOR NONOVERLAPPING LOCAL ALIGNMENTS (WEIGHTED INDEPENDENT SETS OF AXIS PARALLEL RECTANGLES) Piotr Berman Department of Computer Science & Engineering Pennsylvania

More information

Symbolic Execution and Proof of Properties

Symbolic Execution and Proof of Properties Chapter 7 Symbolic Execution and Proof of Properties Symbolic execution builds predicates that characterize the conditions under which execution paths can be taken and the effect of the execution on program

More information

Asynchronous Models. Chapter Asynchronous Processes States, Inputs, and Outputs

Asynchronous Models. Chapter Asynchronous Processes States, Inputs, and Outputs Chapter 3 Asynchronous Models 3.1 Asynchronous Processes Like a synchronous reactive component, an asynchronous process interacts with other processes via inputs and outputs, and maintains an internal

More information

CONVENTIONAL EXECUTABLE SEMANTICS. Grigore Rosu CS422 Programming Language Semantics

CONVENTIONAL EXECUTABLE SEMANTICS. Grigore Rosu CS422 Programming Language Semantics CONVENTIONAL EXECUTABLE SEMANTICS Grigore Rosu CS422 Programming Language Semantics Conventional Semantic Approaches A language designer should understand the existing design approaches, techniques and

More information

Formal Syntax and Semantics of Programming Languages

Formal Syntax and Semantics of Programming Languages Formal Syntax and Semantics of Programming Languages Mooly Sagiv Reference: Semantics with Applications Chapter 2 H. Nielson and F. Nielson http://www.daimi.au.dk/~bra8130/wiley_book/wiley.html The While

More information

6.001 Notes: Section 8.1

6.001 Notes: Section 8.1 6.001 Notes: Section 8.1 Slide 8.1.1 In this lecture we are going to introduce a new data type, specifically to deal with symbols. This may sound a bit odd, but if you step back, you may realize that everything

More information

On the Hardness of Counting the Solutions of SPARQL Queries

On the Hardness of Counting the Solutions of SPARQL Queries On the Hardness of Counting the Solutions of SPARQL Queries Reinhard Pichler and Sebastian Skritek Vienna University of Technology, Faculty of Informatics {pichler,skritek}@dbai.tuwien.ac.at 1 Introduction

More information

Towards a Logical Reconstruction of Relational Database Theory

Towards a Logical Reconstruction of Relational Database Theory Towards a Logical Reconstruction of Relational Database Theory On Conceptual Modelling, Lecture Notes in Computer Science. 1984 Raymond Reiter Summary by C. Rey November 27, 2008-1 / 63 Foreword DB: 2

More information

On partial order semantics for SAT/SMT-based symbolic encodings of weak memory concurrency

On partial order semantics for SAT/SMT-based symbolic encodings of weak memory concurrency On partial order semantics for SAT/SMT-based symbolic encodings of weak memory concurrency Alex Horn and Daniel Kroening University of Oxford April 30, 2015 Outline What s Our Problem? Motivation and Example

More information

Greedy Algorithms 1. For large values of d, brute force search is not feasible because there are 2 d

Greedy Algorithms 1. For large values of d, brute force search is not feasible because there are 2 d Greedy Algorithms 1 Simple Knapsack Problem Greedy Algorithms form an important class of algorithmic techniques. We illustrate the idea by applying it to a simplified version of the Knapsack Problem. Informally,

More information

VS 3 : SMT Solvers for Program Verification

VS 3 : SMT Solvers for Program Verification VS 3 : SMT Solvers for Program Verification Saurabh Srivastava 1,, Sumit Gulwani 2, and Jeffrey S. Foster 1 1 University of Maryland, College Park, {saurabhs,jfoster}@cs.umd.edu 2 Microsoft Research, Redmond,

More information

Lecture 3: Recursion; Structural Induction

Lecture 3: Recursion; Structural Induction 15-150 Lecture 3: Recursion; Structural Induction Lecture by Dan Licata January 24, 2012 Today, we are going to talk about one of the most important ideas in functional programming, structural recursion

More information

SEQUENCES, MATHEMATICAL INDUCTION, AND RECURSION

SEQUENCES, MATHEMATICAL INDUCTION, AND RECURSION CHAPTER 5 SEQUENCES, MATHEMATICAL INDUCTION, AND RECURSION Copyright Cengage Learning. All rights reserved. SECTION 5.5 Application: Correctness of Algorithms Copyright Cengage Learning. All rights reserved.

More information

Research Report. (Im)Possibilities of Predicate Detection in Crash-Affected Systems. RZ 3361 (# 93407) 20/08/2001 Computer Science 27 pages

Research Report. (Im)Possibilities of Predicate Detection in Crash-Affected Systems. RZ 3361 (# 93407) 20/08/2001 Computer Science 27 pages RZ 3361 (# 93407) 20/08/2001 Computer Science 27 pages Research Report (Im)Possibilities of Predicate Detection in Crash-Affected Systems Felix C. Gärtner and Stefan Pleisch Department of Computer Science

More information

Elementary Recursive Function Theory

Elementary Recursive Function Theory Chapter 6 Elementary Recursive Function Theory 6.1 Acceptable Indexings In a previous Section, we have exhibited a specific indexing of the partial recursive functions by encoding the RAM programs. Using

More information

Big-step Operational Semantics Revisited

Big-step Operational Semantics Revisited Fundamenta Informaticae XXI (2001) 1001 1035 1001 IOS Press Big-step Operational Semantics Revisited Jarosław ominik Mateusz Kuśmierek Institute of Informatics Warsaw University, Poland jdk@google.com

More information

Hoare logic. A proof system for separation logic. Introduction. Separation logic

Hoare logic. A proof system for separation logic. Introduction. Separation logic Introduction Hoare logic Lecture 6: Examples in separation logic In the previous lecture, we saw how reasoning about pointers in Hoare logic was problematic, which motivated introducing separation logic.

More information

Verification Condition Generation

Verification Condition Generation Verification Condition Generation Jorge Sousa Pinto Departamento de Informática / Universidade do Minho jsp@di.uminho.pt www.di.uminho.pt/~jsp Outline (1) - From Hoare Logic to VCGen algorithms: an architecture

More information

Leslie Lamport: The Specification Language TLA +

Leslie Lamport: The Specification Language TLA + Leslie Lamport: The Specification Language TLA + This is an addendum to a chapter by Stephan Merz in the book Logics of Specification Languages by Dines Bjørner and Martin C. Henson (Springer, 2008). It

More information

On Universal Cycles of Labeled Graphs

On Universal Cycles of Labeled Graphs On Universal Cycles of Labeled Graphs Greg Brockman Harvard University Cambridge, MA 02138 United States brockman@hcs.harvard.edu Bill Kay University of South Carolina Columbia, SC 29208 United States

More information

Module 3. Requirements Analysis and Specification. Version 2 CSE IIT, Kharagpur

Module 3. Requirements Analysis and Specification. Version 2 CSE IIT, Kharagpur Module 3 Requirements Analysis and Specification Lesson 6 Formal Requirements Specification Specific Instructional Objectives At the end of this lesson the student will be able to: Explain what a formal

More information

Incompatibility Dimensions and Integration of Atomic Commit Protocols

Incompatibility Dimensions and Integration of Atomic Commit Protocols The International Arab Journal of Information Technology, Vol. 5, No. 4, October 2008 381 Incompatibility Dimensions and Integration of Atomic Commit Protocols Yousef Al-Houmaily Department of Computer

More information

Theorem 2.9: nearest addition algorithm

Theorem 2.9: nearest addition algorithm There are severe limits on our ability to compute near-optimal tours It is NP-complete to decide whether a given undirected =(,)has a Hamiltonian cycle An approximation algorithm for the TSP can be used

More information

6. Hoare Logic and Weakest Preconditions

6. Hoare Logic and Weakest Preconditions 6. Hoare Logic and Weakest Preconditions Program Verification ETH Zurich, Spring Semester 07 Alexander J. Summers 30 Program Correctness There are many notions of correctness properties for a given program

More information

ONE-STACK AUTOMATA AS ACCEPTORS OF CONTEXT-FREE LANGUAGES *

ONE-STACK AUTOMATA AS ACCEPTORS OF CONTEXT-FREE LANGUAGES * ONE-STACK AUTOMATA AS ACCEPTORS OF CONTEXT-FREE LANGUAGES * Pradip Peter Dey, Mohammad Amin, Bhaskar Raj Sinha and Alireza Farahani National University 3678 Aero Court San Diego, CA 92123 {pdey, mamin,

More information

FUTURE communication networks are expected to support

FUTURE communication networks are expected to support 1146 IEEE/ACM TRANSACTIONS ON NETWORKING, VOL 13, NO 5, OCTOBER 2005 A Scalable Approach to the Partition of QoS Requirements in Unicast and Multicast Ariel Orda, Senior Member, IEEE, and Alexander Sprintson,

More information